API Gateway /restapis permissions

Question

API Gateway /restapis permissions

delenamalan opened this issue a year ago · comments

Delena Malan commented a year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Bug Report

Error Description

I got permissions errors like these:

User: arn:aws:iam::123:user/deploy-user is not authorized to perform: apigateway:DELETE on resource: arn:aws:apigateway:eu-central-1::/restapis/123/deployments/123 because no identity-based policy allows the apigateway:DELETE action

Unfortunately, I didn't take not of all of them exactly.

Command Run
sls deploy

Console Output

User: arn:aws:iam::123:user/deploy-user is not authorized to perform: apigateway:DELETE on resource: arn:aws:apigateway:eu-central-1::/restapis/123/deployments/123 because no identity-based policy allows the apigateway:DELETE action

Domain Manager Configuration
Replace this with your own serverless.yml file (anonymized, of course) to help us better resolve your issue.

custom:
  customDomain:
    domainName: ${env:DOMAIN}
    route53Profile: ${env:AWS_ROUTE53_PROFILE}
    route53Region: ${env:AWS_ROUTE53_REGION}
    certificateArn: ${env:CERTIFICATE_ARN}
    apiType: rest
    endpointType: edge
    basePath: ''

Versions

Domain Manager version(s): 6.2.2
Node/npm version: Node v18.11.0/npm 8.19.2
Serverless Version: 3.27.0
Lambda Code: JavaScript

Possible Solution

Cloudformation permissions like these:

          - Effect: Allow
            Action:
              - apigateway:POST
              - apigateway:GET
              - apigateway:PUT
            Resource:
              - !Sub arn:aws:apigateway:${Region}::/restapis
              - !Sub arn:aws:apigateway:${Region}::/restapis/*
          - Effect: Allow
            Action:
              - apigateway:DELETE
            Resource:
              - !Sub arn:aws:apigateway:${Region}::/restapis/*

Dima Revutskyi · Answer 1 · Thu Feb 02 2023 18:03:07 GMT+0800 (China Standard Time)

Hi @delenamalan

It's not related to the plugin. The plugin does not manage AWS permissions.

Delena Malan · Answer 2 · Thu Feb 02 2023 18:04:39 GMT+0800 (China Standard Time)

@rddimon thank you, but the plugin does provide suggested permissions in the README.md and Cloudformation template though, right?

Dima Revutskyi · Answer 3 · Thu Feb 02 2023 18:10:45 GMT+0800 (China Standard Time)

In the readme, we just provided an example of the needed permissions.
We can't cover all the single examples and this is not the scope of the plugin.

Dima Revutskyi · Answer 4 · Thu Feb 02 2023 18:18:26 GMT+0800 (China Standard Time)

Reopened it as it can be helpful for the other folks.
We will take a look at it.

Delena Malan · Answer 5 · Thu Feb 02 2023 18:19:22 GMT+0800 (China Standard Time)

Thank you. I get what you're saying now though so totally okay if this is out of the scope of the plugin :)